[Cryptography Team] Re: KryptOn MakoEnvelope
signedAndSealedFrom:to:object:
Matthew S. Hamrick
mhamrick at cryptonomicon.net
Tue Jan 10 17:18:39 CET 2006
Hey Tony...
Thanks for joining the fray. I'm going to express an unpopular
opinion here... Sometimes the Wikipedia is _not_ the reference of
choice. It's a great place to start (as with any Encyclopedia) but
it's focus is, as far as I can tell, to be broad rather than deep.
So I'm not trying to criticize here... not you... not the Wikipedia...
I just wanted to offer a few additional resources for modes of
operation that I consider a little more authoritative.
http://csrc.nist.gov/CryptoToolkit/modes/
and
http://csrc.nist.gov/CryptoToolkit/modes/workshop1/index.html
The first is an overview of the modes of operation section of NIST's
"Crypto Toolbox". The second links to the proceedings of a conference
on the subject.
On 10 Jan 2006, at 05:38, Tony Garnock-Jones wrote:
> Hi Chris,
>
> ECB, CTR ("Counter"), EAX and GGM are all modes of operation for block
> ciphers. This wikipedia page
> http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation
> provides a
> good overview of the different modes, and why ECB is a bad choice, and
> why an AEAD mode (near the bottom of the page) is better than a
> non-authenticating mode.
>
> (I was particularly struck by the spectacular failure of ECB mode to
> encrypt the sample image!)
>
> With specific reference to a Mako signed-sealed envelope, probably the
> best thing to do is to perform the public-key signing operation on the
> original data, and then encrypt-and-MAC the signed data as a separate
> step. The thing to do is to change the way envelopes are sealed (the
> signing process can be left alone) to be an encrypt-and-MAC operation
> rather than a simple encrypt-only operation with no integrity
> protection. For instance, Rijndael in EAX or GGM mode would do nicely
> for the enciphering step.
>
> Another thing to watch out for is the key-exchange protocol, which can
> be really sensitive.
>
> Cheers,
> Tony
>
> Chris Muller wrote:
>> Hi Tony, it may very well be the other way around. I
>> am honestly no encryption expert, just a skilled
>> implementor. I will try to find the web reference
>> that recommended that.
>>
>> As for ECB, I'm sorry I have no idea what that means.
>> This is exactly the kind of critique I need your guys'
>> help with. I am hoping that the usage and management
>> are mostly ok, but there may be some tightening needed
>> in the cryptography layer.
>>
>> This is a very worthy discussioon for the cryptography
>> list, I hope you don't mind that I have copied that
>> list here.
>>
>> Cheers,
>> Chris
>>
>> --- Tony Garnock-Jones <tonyg at lshift.net> wrote:
>>
>>> Hi Chris,
>>>
>>> In the comment to method MakoEnvelope
>>> class>>signedAndSealedFrom:to:object:, you write
>>> "Security experts
>>> recommend putting the signed inside the sealed".
>>>
>>> Isn't it the other way around? According to
>>> http://www-cse.ucsd.edu/users/mihir/papers/oem.html
>>> the least insecure
>>> method is to encrypt, then MAC.
>>>
>>> Also: On digging into the implementation of
>>> enciphering, it looks like
>>> the default cipher, Rijndael, is being used in ECB
>>> mode. Have I analysed
>>> that correctly? (If so, there are other modes that
>>> might be better: AEAD
>>> modes such as EAX or GGM; at a minimum, CTR, but an
>>> AEAD mode would be
>>> better, of course)
>>>
>>> Regards,
>>> Tony
>
> --
> [][][] Tony Garnock-Jones | Mob: +44 (0)7905 974 211
> [][] LShift Ltd | Tel: +44 (0)20 7729 7060
> [] [] http://www.lshift.net/ | Email: tonyg at lshift.net
> _______________________________________________
> Cryptography mailing list
> Cryptography at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/
> cryptography
More information about the Cryptography
mailing list